1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- Generated by Apache Maven Doxia Site Renderer 1.4 at 18 Feb 2015 -->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>CodeNarc - CodeNarc - Security Rules</title>
<style type="text/css" media="all">
@import url("./css/maven-base.css");
@import url("./css/maven-theme.css");
@import url("./css/site.css");
</style>
<link rel="stylesheet" href="./css/print.css" type="text/css" media="print" />
<meta name="Date-Revision-yyyymmdd" content="20150218" />
<meta http-equiv="Content-Language" content="en" />
</head>
<body class="composite">
<div id="banner">
<a href="./" id="bannerLeft">
<img src="images/codenarc-logo.png" alt="CodeNarc" />
</a>
<a href="http://github.com/CodeNarc" id="bannerRight">
<img src="images/forkme_right_red_aa0000.png" alt="Fork me on GitHub" />
</a>
<div class="clear">
<hr/>
</div>
</div>
<div id="breadcrumbs">
<div class="xleft">
<span id="publishDate">Last Published: 18 Feb 2015</span>
| <span id="projectVersion">Version: 0.23</span>
</div>
<div class="xright">
</div>
<div class="clear">
<hr/>
</div>
</div>
<div id="leftColumn">
<div id="navcolumn">
<h5>General</h5>
<ul>
<li class="none">
<a href="index.html" title="Home">Home</a>
</li>
<li class="none">
<a href="https://sourceforge.net/project/showfiles.php?group_id=250145" class="externalLink" title="Downloads">Downloads</a>
</li>
<li class="none">
<a href="apidocs/index.html" title="Javadocs">Javadocs</a>
</li>
<li class="none">
<a href="http://sourceforge.net/mail/?group_id=250145" class="externalLink" title="Mailing Lists">Mailing Lists</a>
</li>
<li class="none">
<a href="http://sourceforge.net/tracker/?group_id=250145" class="externalLink" title="Bug Tracker">Bug Tracker</a>
</li>
<li class="none">
<a href="http://sourceforge.net/projects/codenarc" class="externalLink" title="SourceForge Project">SourceForge Project</a>
</li>
<li class="none">
<a href="http://github.com/CodeNarc" class="externalLink" title="GitHub Project">GitHub Project</a>
</li>
</ul>
<h5>Running</h5>
<ul>
<li class="none">
<a href="codenarc-ant-task.html" title="Ant Task Usage">Ant Task Usage</a>
</li>
<li class="none">
<a href="codenarc-command-line.html" title="Command-Line">Command-Line</a>
</li>
<li class="none">
<a href="codenarc-run-as-a-test.html" title="Run as a Test">Run as a Test</a>
</li>
<li class="none">
<a href="codenarc-other-tools-frameworks.html" title="Other Tools/Frameworks">Other Tools/Frameworks</a>
</li>
</ul>
<h5>Using</h5>
<ul>
<li class="none">
<a href="codenarc-creating-ruleset.html" title="Creating a RuleSet">Creating a RuleSet</a>
</li>
<li class="none">
<a href="codenarc-creating-rule.html" title="Creating a Rule">Creating a Rule</a>
</li>
<li class="none">
<a href="codenarc-configuring-rules.html" title="Configuring Rules">Configuring Rules</a>
</li>
<li class="none">
<a href="StarterRuleSet-AllRulesByCategory.groovy.txt" title="Starter RuleSet (All)">Starter RuleSet (All)</a>
</li>
</ul>
<h5>Report Types</h5>
<ul>
<li class="none">
<a href="codenarc-HtmlReportWriter.html" title="HTML Report">HTML Report</a>
</li>
<li class="none">
<a href="codenarc-XmlReportWriter.html" title="XML Report">XML Report</a>
</li>
<li class="none">
<a href="codenarc-TextReportWriter.html" title="Text and IDE Reports">Text and IDE Reports</a>
</li>
</ul>
<h5>Sample Reports</h5>
<ul>
<li class="none">
<a href="SampleCodeNarcHtmlReport.html" title="Sample HTML Report">Sample HTML Report</a>
</li>
<li class="none">
<a href="SampleCodeNarcXmlReport.xml" title="Sample XML Report">Sample XML Report</a>
</li>
</ul>
<h5>Rules</h5>
<ul>
<li class="none">
<a href="codenarc-rule-index.html" title="Rule Index">Rule Index</a>
</li>
<li class="none">
<a href="codenarc-rules-basic.html" title="Basic Rules">Basic Rules</a>
</li>
<li class="none">
<a href="codenarc-rules-braces.html" title="Braces Rules">Braces Rules</a>
</li>
<li class="none">
<a href="codenarc-rules-concurrency.html" title="Concurrency Rules">Concurrency Rules</a>
</li>
<li class="none">
<a href="codenarc-rules-convention.html" title="Convention Rules">Convention Rules</a>
</li>
<li class="none">
<a href="codenarc-rules-design.html" title="Design Rules">Design Rules</a>
</li>
<li class="none">
<a href="codenarc-rules-dry.html" title="DRY Rules">DRY Rules</a>
</li>
<li class="none">
<a href="codenarc-rules-enhanced.html" title="Enhanced Rules">Enhanced Rules</a>
</li>
<li class="none">
<a href="codenarc-rules-exceptions.html" title="Exceptions Rules">Exceptions Rules</a>
</li>
<li class="none">
<a href="codenarc-rules-formatting.html" title="Formatting Rules">Formatting Rules</a>
</li>
<li class="none">
<a href="codenarc-rules-generic.html" title="Generic Rules">Generic Rules</a>
</li>
<li class="none">
<a href="codenarc-rules-grails.html" title="Grails Rules">Grails Rules</a>
</li>
<li class="none">
<a href="codenarc-rules-groovyism.html" title="Groovyism Rules">Groovyism Rules</a>
</li>
<li class="none">
<a href="codenarc-rules-imports.html" title="Imports Rules">Imports Rules</a>
</li>
<li class="none">
<a href="codenarc-rules-jdbc.html" title="JDBC Rules">JDBC Rules</a>
</li>
<li class="none">
<a href="codenarc-rules-junit.html" title="JUnit Rules">JUnit Rules</a>
</li>
<li class="none">
<a href="codenarc-rules-logging.html" title="Logging Rules">Logging Rules</a>
</li>
<li class="none">
<a href="codenarc-rules-naming.html" title="Naming Rules">Naming Rules</a>
</li>
<li class="none">
<a href="codenarc-rules-size.html" title="Size/Complexity Rules">Size/Complexity Rules</a>
</li>
<li class="none">
<strong>Security Rules</strong>
</li>
<li class="none">
<a href="codenarc-rules-serialization.html" title="Serialization Rules">Serialization Rules</a>
</li>
<li class="none">
<a href="codenarc-rules-unnecessary.html" title="Unnecessary Rules">Unnecessary Rules</a>
</li>
<li class="none">
<a href="codenarc-rules-unused.html" title="Unused Rules">Unused Rules</a>
</li>
</ul>
<h5>Developing</h5>
<ul>
<li class="none">
<a href="codenarc-developer-guide.html" title="Developer Guide">Developer Guide</a>
</li>
</ul>
<h5>Project Documentation</h5>
<ul>
<li class="collapsed">
<a href="project-info.html" title="Project Information">Project Information</a>
</li>
<li class="collapsed">
<a href="project-reports.html" title="Project Reports">Project Reports</a>
</li>
</ul>
<a href="http://sourceforge.net" title="Hosted on SourceForge.net" class="poweredBy">
<img class="poweredBy" alt="Hosted on SourceForge.net" src="http://sflogo.sourceforge.net/sflogo.php?group_id=208647&type=2" />
</a>
<a href="http://maven.apache.org" title="Build with Maven 2" class="poweredBy">
<img class="poweredBy" alt="Build with Maven 2" src="images/logos/maven-feather.png" />
</a>
</div>
</div>
<div id="bodyColumn">
<div id="contentBox">
<div class="section">
<h2>Security Rules ("<i>rulesets/security.xml</i>")<a name="Security_Rules_rulesetssecurity.xml"></a></h2><!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<p>Also see <a href="./codenarc-rules-grails.html#GrailsMassAssignment">GrailsMassAssignment</a>.</p>
<div class="section">
<h3><a name="FileCreateTempFile">FileCreateTempFile</a> Rule<a name="FileCreateTempFile_Rule"></a></h3><!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<p><i>New in CodeNarc 0.14</i></p>
<p>The File.createTempFile() method is insecure, and has been deprecated by the ESAPI secure coding library. It has been replaced by the ESAPI Randomizer.getRandomFilename(String) method.</p>
<p>For more information see the ESAPI website: http://code.google.com/p/owasp-esapi-java/ and the Randomizer Javadoc: <a class="externalLink" href="http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Randomizer.html">http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Randomizer.html</a></p></div>
<div class="section">
<h3><a name="InsecureRandom">InsecureRandom</a> Rule<a name="InsecureRandom_Rule"></a></h3><!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<p><i>New in CodeNarc 0.14</i></p>
<p>Reports usages of <tt>java.util.Random</tt>, which can produce very predictable results. If two instances of Random are created with the same seed and sequence of method calls, they will generate the exact same results. Use <tt>java.security.SecureRandom</tt> instead, which provides a cryptographically strong random number generator. SecureRandom uses PRNG, which means they are using a deterministic algorithm to produce a pseudo-random number from a true random seed. SecureRandom produces non-deterministic output.</p>
<p>By default, this rule ignores test classes are ignored.</p>
<p>For more information see: <a class="externalLink" href="http://www.klocwork.com/products/documentation/current/Checkers:SV.RANDOM">http://www.klocwork.com/products/documentation/current/Checkers:SV.RANDOM</a></p>
<p>Example of violations:</p>
<div>
<pre> def r1 = new Random()
def r2 = new java.util.Random()
Math.random()
java.lang.Math.random()
// this is OK
new java.security.SecureRandom()
new SecureRandom()
</pre></div></div>
<div class="section">
<h3><a name="JavaIoPackageAccess">JavaIoPackageAccess</a> Rule<a name="JavaIoPackageAccess_Rule"></a></h3><!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<p><i>New in CodeNarc 0.14</i></p>
<p>This rule reports violations of the Enterprise JavaBeans specification by using the java.io package to access files or the file system.</p>
<p>The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container [1].</p>
<p>In this case, the program violates the following EJB guideline: "An enterprise bean must not use the java.io package to attempt to access files and directories in the file system."</p>
<p>A requirement that the specification justifies in the following way: "The file system APIs are not well-suited for business components to access data. Business components should use a resource manager API, such as JDBC, to store data."</p>
<p>REFERENCES</p>
<ol style="list-style-type: decimal">
<li>Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 576</li>
<li>The Enterprise JavaBeans 2.1 Specification Sun Microsystems</li></ol>
<p>By default, this rule is not applied to tests and test cases.</p>
<p>Example of violations:</p>
<div>
<pre> FileSystem.getFileSystem() // any method on FileSystem
FileSystem.fileSystem.delete(aFile) // property access of FileSystem
// shouldn't create files
new File(name)
new File(name, parent)
// don't create file readers
new FileReader(name)
// don't create file output streams
new FileOutputStream(name)
new FileOutputStream(name, true)
// don't create random access file
new RandomAccessFile(name, parent)
</pre></div></div>
<div class="section">
<h3><a name="NonFinalPublicField">NonFinalPublicField</a> Rule<a name="NonFinalPublicField_Rule"></a></h3><!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<p><i>New in CodeNarc 0.14</i></p>
<p>Finds code that violates secure coding principles for mobile code by declaring a member variable public but not final.</p>
<p>All public member variables in an Applet and in classes used by an Applet should be declared final to prevent an attacker from manipulating or gaining unauthorized access to the internal state of the Applet.</p>
<p>References:</p>
<ul>
<li>Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 493</li>
<li>G. McGraw Securing Java. Chapter 7: Java Security Guidelines</li></ul></div>
<div class="section">
<h3><a name="NonFinalSubclassOfSensitiveInterface">NonFinalSubclassOfSensitiveInterface</a> Rule<a name="NonFinalSubclassOfSensitiveInterface_Rule"></a></h3><!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<p><i>New in CodeNarc 0.14</i></p>
<p>The permissions classes such as <tt>java.security.Permission</tt> and <tt>java.security.BasicPermission</tt> are designed to be extended. Classes that derive from these permissions classes, however, must prohibit extension. This prohibition ensures that malicious subclasses cannot change the properties of the derived class. Classes that implement sensitive interfaces such as <tt>java.security.PrivilegedAction</tt> and <tt>java.security.PrivilegedActionException</tt> must also be declared <tt>final</tt> for analogous reasons.</p>
<p>For more information see: <a class="externalLink" href="https://www.securecoding.cert.org/confluence/display/java/SEC07-J.+Classes+that+derive+from+a+sensitive+class+or+implement+a+sensitive+interface+must+be+declared+final">https://www.securecoding.cert.org/confluence/display/java/SEC07-J.+Classes+that+derive+from+a+sensitive+class+or+implement+a+sensitive+interface+must+be+declared+final</a></p>
<p>Example of violations:</p>
<div>
<pre> class MyPermission extends java.security.Permission {
MyPermission(String name) { super(name) }
boolean implies(Permission permission) { true }
boolean equals(Object obj) { true }
int hashCode() { 0 }
String getActions() { "action" }
}
class MyBasicPermission extends BasicPermission {
MyBasicPermission(String name) { super(name) }
}
class MyPrivilegedAction implements PrivilegedAction {
Object run() { 0 }
}
class MyPrivilegedActionException extends PrivilegedActionException {
MyPrivilegedActionException(Exception exception) { super(exception) }
}
</pre></div></div>
<div class="section">
<h3><a name="PublicFinalizeMethod">PublicFinalizeMethod</a> Rule<a name="PublicFinalizeMethod_Rule"></a></h3><!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<p><i>New in CodeNarc 0.14</i></p>
<p>Creates a violation when the program violates secure coding principles by declaring a <tt>finalize()</tt> method public.</p>
<p>A program should never call finalize explicitly, except to call super.finalize() inside an implementation of <tt>finalize()</tt>. In mobile code situations, the otherwise error prone practice of manual garbage collection can become a security threat if an attacker can maliciously invoke one of your finalize() methods because it is declared with public access. If you are using <tt>finalize()</tt> as it was designed, there is no reason to declare <tt>finalize()</tt> with anything other than protected access.</p>
<p>References:</p>
<ul>
<li>Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 583</li>
<li>G. McGraw Securing Java. Chapter 7: Java Security Guidelines</li></ul></div>
<div class="section">
<h3><a name="ObjectFinalize">ObjectFinalize</a> Rule<a name="ObjectFinalize_Rule"></a></h3><!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<p><i>New in CodeNarc 0.14</i></p>
<p>The finalize() method should only be called by the JVM after the object has been garbage collected.</p>
<p>While the Java Language Specification allows an object's finalize() method to be called from outside the finalizer, doing so is usually a bad idea. For example, calling finalize() explicitly means that finalize() will be called more than once: the first time will be the explicit call and the last time will be the call that is made after the object is garbage collected.</p>
<p>References: Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 586</p></div>
<div class="section">
<h3><a name="SystemExit">SystemExit</a> Rule<a name="SystemExit_Rule"></a></h3><!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<p><i>New in CodeNarc 0.14</i></p>
<p>Web applications should never call System.exit(). A call to System.exit() is probably part of leftover debug code or code imported from a non-J2EE application.</p>
<ol style="list-style-type: decimal">
<li>Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A9 Application Denial of Service</li>
<li>Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP6080 CAT II</li>
<li>Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 382</li>
<li>Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.9</li></ol></div>
<div class="section">
<h3><a name="UnsafeArrayDeclaration">UnsafeArrayDeclaration</a> Rule<a name="UnsafeArrayDeclaration_Rule"></a></h3><!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
<p><i>New in CodeNarc 0.14</i></p>
<p>Triggers a violation when an array is declared public, final, and static.</p>
<p>In most cases an array declared public, final and static is a bug. Because arrays are mutable objects, the final constraint requires that the array object itself be assigned only once, but makes no guarantees about the values of the array elements. Since the array is public, a malicious program can change the values stored in the array. In most situations the array should be made private.</p>
<p>Example of violations:</p>
<div>
<pre> class MyClass {
public static final String[] myArray = init()
public static final def myArray = [] as String[]
}
</pre></div></div></div>
</div>
</div>
<div class="clear">
<hr/>
</div>
<div id="footer">
<div class="xright">
Copyright © 2015.
All Rights Reserved.
</div>
<div class="clear">
<hr/>
</div>
</div>
</body>
</html>
|
